Analyzing Risks Qualitatively

perform qualitative risk analysis In the previous process you identified all possible risks on the project.

Next logical step is to prioritize them, so that high priority risks are addressed first.

Prioritization is done based on probability of occurrence and impact on project objectives if and when they materialize.

In PMBOK guide PMI suggests this to be done in this process called Perform Qualitative Risk Analysis.

Since this is a qualitative measure, it is subjective assessment based on risk data and parameters. With this we do our best to prioritize the risks.

Once thus analyzed, the risk list then forms a basis for analyzing risks quantitatively. With some numbers in front of each risks it becomes easier to prioritize them.

Though this may sound daunting, risk analysis is actually pretty straight forward.

Quite evidently, Risk management plan is what we need to consider. It outlines the approach to take for qualitative analysis of risks. Plus it contains roles and responsibilities of people that manage risks, RBS (risk breakdown structure), definition of probability and impact, and so on.

Risk register has all identified risks, so can’t run without this project document.

Remember the adage ‘assumption is the mother of all problems’? We do need the assumptions log to unearth any hidden risks lurking in there.

Stakeholders! Of course – we used stakeholder register to identify risks, and now we’ll use it to analyze them as well.

Artifacts such as risk databases or industry studies of similar projects come from EEF.

While analyzing risks we will need all the help we can get. An ounce of prevention may indeed turn out to be better than a pound of cure later. Organizational process assets may have risk related studies done earlier or lessons learned from similar earlier projects.

How do we analyze?

Call in the experts! Getting them into group settings (facilitated workshops) and one-on-one meetings will help analyze probability of risks materializing and their impact on project objectives.

Probability and impact matrix is quite simply a tabular representation that assigns a numerical value to every combination of probability value and impact value. This numerical value is arrived at by multiplying probability value and impact value, as shown below. This matrix is expected to be available in organizational process assets.

Risks that have low probability and impact are included in a watch list. This is monitored at regular intervals to see if their probability or impact ratings have changed.

Each risk is prioritized based on the value derived from this matrix, looking at their probability and impact numbers.

Risks that have values from the dark zone in the matrix below will have higher priority, requiring aggressive response strategies.

Sample-probability-and-impact-matrixFigure: Sample Probability and Impact Matrix

  • Separate Probability and Impact Matrix is used for threats and opportunities
  • A separate matrix can be prepared for each of the project objectives such as cost, schedule, quality and scope
  • Number of steps in the matrix is determined based on organization’s preferences

Let us look at a simple example –
You are preparing tea for the guests. What are the couple of risks you can think of?

  • Sugar added may be more than required, making tea too sweet
  • Tea may have over-boiled, making it bitter

Let us assign probability and impact percentages:

tea-risk-probability-impact

Here, Scale is determined by looking up the probability and impact values in the chart and where the intersecting cell falls into – low, medium or high.

Adding excessive sugar is assigned a scale of medium risk and over-boiling tea, high risk.

This could also be due to the fact that, in this simple case, we understand the risk responses: there is a way to correct the mistake in the former case (sweetness lessened by adding milk), but for the second risk the possibility of correction is very less. In this example we even derived the output of another process: Plan Risk Responses.

Risk data quality measurement is about ensuring that the risk data used to assess priorities is accurate. Since this is qualitative assessment the strength of assessment depends on the quality of data used. This assessment is done either by experts, or by project management team by looking at such data from previous projects.

Risk categorization is about grouping risks on some basis. Risks can be categorized based on source, level of impact, root cause, or anything that helps in strategizing effective responses. Categorization helps in coming up with common risk responses that can be applied to multiple risks.

Risk urgency assessment is about figuring out which risks need to be addressed in short term. This can be decided based on the prioritization done using probability and impact matrix.

Similarly we assess risk proximity (how long it takes after a risk is materialized for it to impact project objectives?), risk dormancy (how long it takes for a risk impact to to discovered after risk has materialized?), risk detectability (how easy it is to detect a risk?), risk manageability (how easy or difficult it is to manage the impact of the risk?) and so on. These will help in risk prioritization.

Interpersonal and team skills of the project manager are put to test here.

Because some people might feel that they are responsible for the risks and might not be comfortable identifying risks in the first place. The project manager needs to create an environment of trust and faith and impress upon the fact that identification of risks is in the best interest of project, stakeholders, and the team.

Encouraging identification and detection of risks should a regular practice because risk management is a regular process that happens throughout the project.

What’s the impact?

Risk register is updated. It had to be, right? We have updated the list of risks with qualitative measurement values and prioritized them.

Risk register can be updated with following information –

  • Risk prioritization based on probability and impact
  • Risk categorization
  • Additional information about a risk such as trigger conditions and likelihood of occurrence
  • List of risks that need responses in near-future
  • List of risks that are low on probability and impact, that can be put on a watch list
  • Some risk responses may be discovered while analyzing risks
  • List of risks that could not be analyzed for lack of data and are to be considered during Perform Quantitative Risk Analysis process

Assumption logs – more you understand about risks more assumptions will be validated, which can be updated in the assumption logs.

In fact any project document that is referred to in the process can potentially be changed – risk register, issue log, and so on.

Now that we have the list of risks analyzed and prioritized, let us look at some ways of analyzing and assigning numeric values so we can prioritize them even better.

{ 0 comments… add one }